Skip to content

Ensure catch-all FlowSchema object for API Priority and Fairness Exists

An XCCDF Rule

Description

Using APIPriorityAndFairness feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. The well-known FlowSchema catch-all should be available to make sure that every request gets some kind of classification. By default, the catch-all priority level only allows one concurrency share and does not queue requests. To inspect all the FlowSchema objects, run:

oc get flowschema
To inspect the well-known catch-all object, run the following:
oc describe flowschema catch-all

warning alert: Dependency Warning

Note that this is only applicable in OpenShift Container Platform version 4.11 and higher

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all API endpoint to the local /apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all file. true

Rationale

The FlowSchema API objects enforce a limit on the number of events that the API Server will accept in a given time slice In a large multi-tenant cluster, there might be a small percentage of misbehaving tenants which could have a significant impact on the performance of the cluster overall. It is recommended to limit the rate of events that the API Server will accept.

ID
xccdf_org.ssgproject.content_rule_api_server_api_priority_v1beta2_flowschema_catch_all
Severity
Medium
References
Updated